Description
After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s).
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.15.6
- Patched version(s): 5.15.8
References
Related Issues
- Quill is vulnerable to XSS via HTML export feature - CVE-2025-15056
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 19, 2025